[Zope-dev] RE: objectIds accessiblilty & and a proposal
Dieter Maurer
dieter@handshake.de
Wed, 20 Dec 2000 22:52:05 +0100 (CET)
Toby Dickenson writes:
> > ... protocol specific access rights ...
> Please No.
>
> Zope security is complex enough without having to worry about
> different security settings depending on how a method is accessed.
> (And we should have a lower tolerance for complexity when it applies
> to security)
>
> If a user has permission to access a method then he should be able to
> access it any way (xmlrpc, ZPublisher, DTML, PythonMethods)
I agree with you mostly.
But it might be a significant difference, whether
you access via HTTP or HTTPS or even a protocol that
provides trusted authentication.
Furthermore, I would not bring DTML and web access on the same
level:
There are objects, that should be usable by Anonymous
inside DTML but should not be viewable over the
web (as they will only confuse).
All page components (such as "standard_html_header/footer")
fall into this category.
Dieter